Why hotel WiFi connections are a hacker's dream come true - explained

With your feet up at the end of a long day and with the tiny kettle boiling, it can be very tempting to log into your hotel's WiFi connection and have a scroll through social media. You may quickly log in to your online banking, download some podcasts or even send some work emails.

But have you ever stopped to consider the hotspot you are connected to – which is probably using the name of the hotel followed by the word 'Guest' – is actually a trap?

That your usernames, passwords and other sensitive information may be flowing directly into the hands of a hacker? You should, cybersecurity experts warn.

This week (12 September), research from Broadband Genie, which asked 2,512 thousand people about their internet access when staying in hotels, found that more than 90% admitted to logging in when it's available.

A whole 58% said they were not worried about being monitored.

The survey revealed that the most popular uses for hotel WiFi included email and internet browsing.

A small, but still significant, number (26%) said they used it for work purposes. But nearly all respondents, it claimed, were accessing some form of private data.

You may think it's not important. Why would a hacker be interested in you, after all?

Unfortunately, hackers trade in data – and hotel WiFi connects transmit a lot of sensitive information. Emails contain passwords. Work email accounts are a chance to mould successful social engineering attacks. Your bank account – well, that one is obvious.

Does the connection even have a password?

"Assuming the hotel WiFi is unsecured, the range of potential attacks is broad," Ondrej Kubovič, a security expert at Slovakia-based antivirus firm ESET, told IBTimes UK.

"An attacker can passively eavesdrop on the victim's communication, alter it, hijack the user's session, redirect him/her to malicious sites, extract sensitive data or even manipulate the victim to download malware and take control of his/her device," he added.

Rob Hillborn, head of strategy at Broadband Genie, elaborated: "I think many go in on the assumption they are secure because they've paid for a service and are in a safe environment, where actually we should always be erring on the side of caution on any WiFi connection."

Studies show that such connections are a major weak spot for the general public.

In 2015, cybersecurity firm F-Secure conducted an experiment on the streets of London – creating a fake hotspot to see how many people joined without question. In one half-hour period, a whopping 250 devices connected to the hotspot, the firm later revealed in a report.

One of the terms and conditions of the hijacked hotspot's use was that the user must give up their first-born child or most beloved pet in exchange for the internet. Six people agreed.

"What are we really signing up for when we check the 'agree' box at the end of a long list of T&C's we don't read?" the firm pondered in a blog post at the time. "There's a need for more clarity and transparency about what's actually being collected or required of the user."

And when it comes to the more specific topic of WiFi in hotel rooms – hackers have been caught exploiting it for gain on numerous occasions - be it for money or espionage.

One of the most prolific groups to conduct these operations has, aptly, been dubbed DarkHotel.

In 2014, researchers from Kaspersky Lab, a Russian cybersecurity firm, found the group had – for years – been using malware on victims staying in hotels, mostly businessmen.

It took advantage of unprotected WiFi connections to launch phishing attacks.

"Considering their well-resourced, advanced exploit development efforts and large, dynamic infrastructure, we expect more DarkHotel activity in the coming years," Kaspersky Lab warned in a report at the time.

They were correct.

In 2017, the hackers were again profiled by security firm Bitdefender, which found the team had shifted its attention to political figures. "The threat actors have been able to run their business undisturbed for years," warned threat researcher Bogdan Botezatu in his analysis.

So the problem hasn't gone away. In fact, as more personal information is being bundled into smartphones and tablets, the issue is only likely to intensify, security experts believe.

"Hotel WiFi, or indeed any other public WiFi such as the ones found in airports and coffee shops, should always be approached with caution," Javvad Malik, a security advocate at AlienVault, told IBTimes UK. "It is relatively trivial for an attacker to set up a fake access point."

Users who want to browse the web using public WiFi should, if possible, use a virtual private network, or VPN, to add an extra later of security. In many cases, a common sense approach is paramount – be vigilant of what you click and make sure websites are legitimate.